System Forensics

All your artifacts are belong to me.

WinZip MRU Tool Check

I was playing around with WinZIP today and noticed something and wanted to write it down before I forgot to document it. I still need to do some analysis, but wanted to make it known if it wasn’t already. This has to do with the following WinZIP registry entry: Software\Nico Mak Computing\WinZip\mru\archives While writing a new […]


Python Registry Parser (regparse)

I released a tool called, Python Registry Parser (or regparse for short), which is a plugin based Windows Registry parser written in Python. The reason for writing regparse was three fold. 1) I don’t like the output that current registry parsers (Gui/non-Gui) provide. 2) I like RegRipper, but didn’t want to learn Perl. 3) I […]

Manage DFIR Information – A possible solution?

I posted a tweet yesterday asking for some blog request ideas here because I was kind of running out of ideas to write about. So then @Hexacorn tweeted me saying, “perhaps there should be a place where ppl can submit DFIR/RCE requests that interested bloggers could research & write about?” That makes sense. Here I […]

Forensics in the Amazon Cloud – EC2

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response. Why wait for that phone call before you start diving into the “know how” of conducting […]

, , , ,

Automating Data Reduction via Whitelists

In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method and never really used it. I had plenty of RAM, so I kept for-looping through my text file of whitelisted files. […]

, , ,

Do not fumble the lateral movement

I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here: I got quite a bit of positive feedback on that post so I figured I would write a similar one for spotting lateral movement on systems. Let me […]

, , , ,

Previous Posts

Theme created by Powered by